Choice Escrow And Land Title, Llc. v. Bancorpsouth Bank

754 F.3d 611 (8th Cir. 2014)

Facts

Choice (P) is a Missouri company that provides real estate escrow services. In 2009, P opened a trust account at BancorpSouth (D) for this purpose. P deposited customer funds in its account at D when the transaction closed P then wired the money to the seller at closing. P's employees performed these tasks over the Internet using an online banking platform called InView. D had four security measures designed to ensure that P's employees, and only P's employees, would be able to access P's account. D required each InView user to register a unique user id and password. Without it, access to the account was impossible. D installed device authentication software called PassMark. When a customer's employee-first registered for InView, PassMark recorded the IP address of the employee's computer as well as information about the computer itself-information relating to, for instance, the computer's operating system, central processing unit, browser, screen, time zone settings, and language settings. Upon subsequent access, PassMark verified that the characteristics of that user's computer were consistent with the information PassMark had recorded about the employee's computer. If a user attempted to access InView from an unrecognized computer, the user would be prompted to answer 'challenge questions' to verify the user's identity. If the user answered these questions correctly, the new computer would be added to the list of recognized computers, and the user would be able to access InView. D allowed its customers to place dollar limits on the daily volume of wire transfer activity from their accounts. P declined to place daily transfer limits on its account. D also allowed dual verification. In essence, a transfer would require two authorized users, each using a unique user id and password to log in to InView and separately approve the pending payment order. Any customer declining to use dual verification had to sign a waiver acknowledging that it was waiving dual control and that it understood the risks associated with using a single-control (i.e., single-user) security system. P declined the use of dual control and signed the requisite waiver. In November 2009, P warning it of a 'phishing' scam. D again warned P that dual control was the only solution they had available as they were unable to stop foreign wire transfers. P refused to use dual control. On March 17, 2010, a third party accessed P's online bank account and issued a payment order instructing D to transfer $440,000 from D's account to a banking institution in the Republic of Cypress. D accepted and executed the payment order. After attempts to recover the funds failed, P sued D for the lost funds, and D counterclaimed for attorney's fees based on an indemnification agreement that it had executed with P.